SQL Injection Vulnerability!

Posted on Wednesday, February 04, 2004 @ 21:05:04 CET in Security
by Raven

Please! Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Otherwise your admin passwords can be exposed. They are still encrypted, but depending on how serious someone was to get them, they might! please note that Chatserv's Patches have this fix in them, but FB should have patched his releases by now and hasn't!

Admin Note: See this post for further discussion and code for protecting your site.
 
 
click Related        click Share
 
 
Associated Topics

Bugs - Fixed


Bugs and Alerts
 
 

Re: SQL Injection Vulnerability! (Score: 1)
by Lateron on Wednesday, February 04, 2004 @ 23:00:31 CET

(User Info | Send a Message) http://www.ausvegnet.com

In the two or three years that I have been using phpNuke I have never looked at the Reviews module until today. I wonder how many sites actually use this.

Raven,

I checked out your Reviews module and there is one entry in it. Is that supposed to open when I click on it because it doesn't: it loops back.

Regards,
Ron..

Re: SQL Injection Vulnerability! (Score: 1)
by Raven
on Wednesday, February 04, 2004 @ 23:05:45 CET
(User Info | Send a Message)

That review had been removed. Look at my web hosting site to see how the reviews module is supposed to work.

 
 

Re: SQL Injection Vulnerability! (Score: 1)
by paranor on Thursday, February 05, 2004 @ 08:05:35 CET
  
(User Info | Send a Message)

w00t - thanks guys. That's why I host here!

:)

 
 

Re: SQL Injection Vulnerability! (Score: 1)
by sharlein on Thursday, February 05, 2004 @ 10:35:16 CET

(User Info | Send a Message)

Raven, I had 5 instances of this problem, Where did I go wrong? Also, it is it safe to install Chat's patches on a GT site?

 
News ©

Site Info

Last SeenLast Seen
  • neralex
  • kguske
Server TrafficServer Traffic
  • Total: 393,849,348
  • Today: 9,003
Server InfoServer Info
  • Nov 14, 2019
  • 05:45 am CET